b'                     AUDIT REPORT\n\n\n                   Audit of NRC\xe2\x80\x99s Office of Nuclear Security\n                            and Incident Response\n\n                       OIG-06-A-09 February 16, 2006\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                        February 16, 2006\n\n\n\n\nMEMORANDUM TO:            Luis A. Reyes\n                          Executive Director for Operations\n\n\n\nFROM:                     Stephen D. Dingbaum/RA/\n                          Assistant Inspector General for Audits\n\n\nSUBJECT:                  AUDIT OF NRC\xe2\x80\x99S OFFICE OF NUCLEAR\n                          SECURITY AND INCIDENT RESPONSE\n                          (OIG-06-A-09)\n\n\nThis report presents the results of the subject audit. Agency comments provided\nat the exit conference on November 10, 2005, and written response, dated\nJanuary 19, 2006, have been incorporated, as appropriate, into this report.\nAppendix C contains the agency\xe2\x80\x99s written comments and our response.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken\nor planned are subject to OIG follow-up as stated in Management Directive 6.1.\n\nWe appreciate the courtesies and cooperation extended to us by members of\nyour staff during the audit. If you have any questions or comments about our\nreport, please feel free to contact me on 301-415-5915, or Beth Serepca on\n415-5911.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research,\n  State and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n   and Administration, and Chief Information Officer, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nMichael R. Johnson, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nCarl J. Paperiello, Director, Office of Nuclear Regulatory Research\nJanet R. Schlueter, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                           Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nEXECUTIVE SUMMARY\n\n       BACKGROUND\n\n       In the aftermath of the terrorist attacks of September 11, 2001, the\n       Nuclear Regulatory Commission (NRC) established the Office of\n       Nuclear Security and Incident Response (NSIR) in April 2002 to\n       develop overall agency policy and provide management direction\n       for security issues and incident response at nuclear facilities.\n       NSIR\xe2\x80\x99s mission is to prevent nuclear security incidents and to\n       respond to security and safety events. Since its inception, NSIR\n       has been involved in many substantive security and incident\n       response initiatives.\n\n       PURPOSE\n\n       The objective of this audit was to conduct an independent\n       evaluation of NSIR operations. Specifically, the evaluation focused\n       on NSIR\xe2\x80\x99s management of emergent work, communications with\n       stakeholders, and implementation of the organizational assessment\n       recommendations.\n\n       RESULTS IN BRIEF\n\n       NSIR has accomplished a great deal since its inception in April\n       2002. Along with the standing up of a new organization, NSIR\n       officials drafted and implemented numerous security orders,\n       approved security plans, enhanced the force-on-force exercise\n       program, and coordinated with the Department of Homeland\n       Security on a wide variety of security initiatives. Now, however,\n       NSIR needs to focus on refining and formalizing its day-to-day\n       operations to improve its ability to meet its mission. Specifically,\n       NSIR needs to:\n\n       \xc2\xbe improve the management of its workload,\n       \xc2\xbe improve its security communication procedures, and;\n       \xc2\xbe fully address the organizational effectiveness recommendations.\n\n               Workload Management Improvements\n\n       NSIR lacks an adequate process for evaluating and integrating\n       unanticipated assignments into its current workload and its process\n       for tracking emergent work is ineffective. As a result, staff are\n       overworked, and 12 percent of the planned and budgeted work was\n       not achieved.\n\n\n\n                                    i\n\x0c                   Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n        Security Communications Procedures\n\nRequirements for the establishment of NSIR included mandates to\nimprove the agency\xe2\x80\x99s communications concerning security issues\nand to determine the effectiveness of communications between\nNSIR and its internal and external stakeholders. Despite these\nrequirements, weaknesses exist in NSIR\xe2\x80\x99s process for interacting\nwith internal and external stakeholders and the office has\nperformed limited assessments of the success of its\ncommunications.\n\nIncomplete Consideration of Contractor Recommendations\n\nNSIR managers did not give timely consideration to\nrecommendations provided by the contractor hired to assess its\norganizational effectiveness 1 year after the office\xe2\x80\x99s inception.\nAlthough the organizational assessment was mandated by the\nCommission, there was no associated mandate to follow through\non the recommendations. In addition, competing priorities in NSIR\nmade it difficult for managers to complete action on the\nrecommendations. As a result, the office still exhibits some of the\nproblems identified during the initial assessment.\n\nRECOMMENDATIONS\n\nA consolidated list of recommendations appears on pp. 18 of this\nreport.\n\nAGENCY COMMENTS\n\nAt an exit conference with agency senior executives held on\nNovember 10, 2005, NRC officials generally believed the\nrecommendations in the report were constructive however, they did\nnot believe the findings reflected the current condition of the\norganization. Subsequent to the exit conference, NRC provided\ninformal comments on the draft report and OIG met with an NSIR\nrepresentative to address specific report issues and concerns. This\nfinal report incorporates revisions made, where appropriate, as a\nresult of the subsequent meetings and the agency\xe2\x80\x99s informal\ncomments.\n\nOn January 19, 2006, the Deputy Executive Director for Reactor\nand Preparedness Programs, Office of the Executive Director for\nOperations, provided a formal response to this report in which the\nstaff generally agreed with the report\xe2\x80\x99s recommendations, but not\n\n\n\n\n                            ii\n\x0c                  Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nwith all aspects of the OIG assessment. Based on the formal\ncomments, no additional changes were made to the report.\n\nThe Deputy Executive Director\xe2\x80\x99s transmittal letter and specific\ncomments on this report are included as Appendix C. Appendix D\ncontains OIG\xe2\x80\x99s specific responses to the agency\xe2\x80\x99s comments.\n\n\n\n\n                           iii\n\x0c       Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n                iv\n\x0c                    Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       NRC     U.S. Nuclear Regulatory Commission\n\n       NSIR    Office of Nuclear Security and Incident Response\n\n       OEDO    Office of the Executive Director for Operations\n\n       OMB     Office of Management and Budget\n\n\n\n\n                             v\n\x0c      Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n\n[Page intentionally left blank]\n\n\n\n\n               vi\n\x0c                                            Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nTABLE OF CONTENTS\n\n    EXECUTIVE SUMMARY.........................................................................i\n\n    ABBREVIATIONS AND ACRONYMS ....................................................v\n\n    I.        BACKGROUND .............................................................................1\n\n    II.       PURPOSE......................................................................................3\n\n    III.      FINDINGS ......................................................................................4\n\n         A.     NSIR Needs Workload Management Improvements ...................4\n\n         B.     NSIR\xe2\x80\x99s Security Communications Procedures\n                Need Improvement ....................................................................11\n\n         C.     Incomplete Consideration of Contractor Recommendations .....15\n\n    IV.       CONSOLIDATED LIST OF RECOMMENDATIONS ....................18\n\n    V.        AGENCY COMMENTS ................................................................19\n\n\n    APPENDICES\n\n    A.        SCOPE AND METHODOLOGY...................................................21\n\n    B.        ORGANIZATIONAL EFFECTIVENESS ASSESSMENT\n              RECOMMENDATIONS ................................................................23\n\n    C.        FORMAL AGENCY COMMENTS ................................................25\n\n    D.        DETAILED OIG ANALYSIS OF AGENCY COMMENTS..............29\n\n\n\n\n                                                     vii\n\x0c       Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               viii\n\x0c                                          Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nI. BACKGROUND\n\n                 The Nuclear Regulatory Commission (NRC) established the Office\n                 of Nuclear Security and Incident Response (NSIR) in April 2002 to\n                 develop overall agency policy and provide management direction\n                 for the evaluation and assessment of security issues at nuclear\n                 facilities and incident response. Responsibilities also were to\n                 include monitoring and assessing the threat environment and\n                 serving as the agency\xe2\x80\x99s security and safeguards interface with\n                 other Federal, State, and local agencies. The decision to establish\n                 NSIR was pursuant to NRC\xe2\x80\x99s post-September 11, 2001,\n                 comprehensive review of the agency\xe2\x80\x99s safeguards and security\n                 programs. This review of NRC\'s organizational structure, staffing,\n                 and training relative to security and safeguards determined that\n                 greater efficiency and effectiveness would be achieved by\n                 consolidating certain NRC safeguards, security, and incident\n                 response functions into a single office.\n\n                          Challenges for the New Office\n\n                 The NRC Commission envisioned that NSIR would be a security\n                 organization housing the headquarters emergency operations\n                 center and managing the emergency preparedness functions. One\n                 Commissioner anticipated that NSIR would serve as an advisory\n                 board reporting to the Commission with its own staff of engineers\n                 and security officials. In this manner, the Commissioner predicted,\n                 NSIR would operate as a self-reliant \xe2\x80\x9cthink tank.\xe2\x80\x9d The concern at\n                 the time was to avoid combining staff into a traditional program\n                 office where they would perform and think no differently than they\n                 had in their original offices.\n\n                 The Commission recognized the inherent difficulties that NSIR\n                 would face as a new office tasked with fulfilling a specific mission\n                 and establishing the infrastructure needed to support the office.\n                 Therefore, the Commission asked the office to perform an\n                 assessment within 1 year of operations to determine its\n                 organizational effectiveness. To fulfill this requirement, NSIR\n                 contracted with Acton Burnell, Inc. (Acton Burnell),1 to develop\n                 performance measures for areas and functions within NSIR,\n                 develop effective and efficient methods for gathering and analyzing\n                 performance measure data, and provide a written report assessing\n                 their achievement of these performance measures. In the report,\n                 dated May 2003, the contractor addressed NSIR\xe2\x80\x99s organizational\n\n1\n Acton Burnell, Inc. was an information technology company that provided consulting services to Federal\nGovernment clients. The company was purchased by CACI International, Inc., during the term of the\ncontract.\n\n                                                    1\n\x0c                             Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n          effectiveness and made specific recommendations to improve\n          leadership roles and responsibilities, implement a public relations\n          policy, improve or establish standard internal processes and\n          procedures, and improve overall effectiveness of internal and\n          external communications.\n\n                NSIR\xe2\x80\x99s Mission and Organization\n\n          NSIR\'s mission is to prevent nuclear security incidents and to\n          respond to security and safety events. The first part of the mission\n          focuses on what licensees need to do to ensure adequate security\n          for nuclear facilities and material. The latter part of the mission\n          refers to what the agency does to both prepare for and respond to\n          an incident, e.g., how NRC interacts with other Federal agencies\n          and with licensees.\n\n          NSIR is organized into three divisions: the Division of Nuclear\n          Security; the Division of Preparedness and Response; and\n          Program Management, Policy Development and Analysis Staff.\n          NSIR\xe2\x80\x99s FY 2005 Headquarters staffing level was 199 as shown on\n          the organization chart below.\n\n           Office of Nuclear Security and Incident Response\n                          Organizational Chart\n\n\n\n\n                              Director and\n                             Deputy Director\n                                (7 staff)\n\n\n\n\nDivision of Nuclear            Division of                        Program\n     Security               Preparedness and                  Management, Policy\n    (113 staff)                Response                        Development and\n                                (59 staff)                      Analysis Staff\n                                                                  (20 staff)\n\n          The Division of Nuclear Security develops and directs\n          implementation of policies and programs for the evaluation and\n          assessment of security at nuclear facilities. The Division of\n          Preparedness and Response develops and directs the NRC\n\n\n                                      2\n\x0c                            Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n         program for investigation of operational incidents and the NRC\n         program for regulating emergency preparedness of nuclear power\n         plant licensees. Additionally, this division is the agency\xe2\x80\x99s incident\n         response interface with the Federal Emergency Management\n         Agency and other Federal agencies. Program Management, Policy\n         Development and Analysis Staff, an administrative division,\n         provides long-range planning, budget development, financial and\n         information resources management, human resource analysis,\n         Freedom of Information Act coordination, and management of\n         principal correspondence.\n\n         According to NSIR officials, in fiscal year (FY) 2005, the office was\n         authorized a staff of 193 with an estimated budget of $25,000,000\n         for salaries and benefits, and $15,826,000 for travel, training, and\n         contract support costs.\n\n\nII. PURPOSE\n\n      The objective of this audit was to conduct an independent evaluation of\n      NSIR operations. Specifically, the evaluation focused on NSIR\xe2\x80\x99s\n      management of its emergent work, communications with stakeholders,\n      and implementation of the organizational effectiveness assessment\n      recommendations. Appendix A contains information on the audit\n      scope and methodology.\n\n\n\n\n                                     3\n\x0c                               Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nIII. FINDINGS\n\n     Since its inception in April 2002, NSIR has been involved in many\n     substantive activities to include implementing security orders and the\n     approval of revised security plans for all power reactors and Category I\n     fuel cycle facilities, enhanced the implementation of the force-on-force\n     exercise program, and coordinated closely with the Department of\n     Homeland Security on a wide range of security and safety initiatives.\n     However, in the achievement of its mission NSIR:\n\n           A. Needs to improve the management of its workload.\n\n           B. Needs to improve its security communications procedures and\n              to be positioned to assess the success of its internal and\n              external security communications.\n\n           C. Has not fully addressed the recommendations provided by the\n              contractor hired to assess NSIR\xe2\x80\x99s organizational effectiveness.\n\n           These shortcomings occurred because NSIR managers, faced with\n           competing priorities, have not spent adequate time to address\n           these matters. As a result, NSIR operates in an unpredictable\n           environment which negatively impacts its ability to accomplish its\n           work, reduces morale of the staff, and shows no sign of\n           improvement.\n\n     A. NSIR Needs Workload Management Improvements\n\n           While NSIR has accomplished much, the office still needs to\n           improve the management of its workload. Improvements are\n           needed because NSIR lacks an adequate process for evaluating\n           and integrating unanticipated assignments (\xe2\x80\x9cemergent work\xe2\x80\x9d) into\n           its current workload and because the office\xe2\x80\x99s process for tracking\n           emergent work is ineffective. As a result, NSIR staff are\n           overworked, the office failed to accomplish 12 percent of its FY\n           2004 planned and budgeted activity and managers need to improve\n           the ability to adequately accommodate the office\xe2\x80\x99s future workload.\n\n           Efficiency and Decisionmaking Requirements\n\n           The Government Performance and Results Act of 1993 holds\n           Federal agencies accountable for achieving program results;\n           therefore, NRC developed specific measures to compare actual\n           program results with strategic performance goals. The\n           achievement of these performance measures are tracked in office\n           operating plans and are reported on a quarterly basis to the Office\n\n\n                                        4\n\x0c                   Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nof the Chief Financial Officer. Outcomes are scored in terms of\nsuccessful performance, mixed results, and unsatisfactory\nperformance.\n\nAccording to the Government Accountability Office\xe2\x80\x99s Standards for\nInternal Controls in the Federal Government, agency internal\ncontrols should provide reasonable assurance that agency\nobjectives are being achieved, for example, that operations are\neffective and efficient, including the use of entity resources.\nFurthermore, both this guidance and Office of Management and\nBudget Circular No. A-123 (OMB A-123), Management\nAccountability and Control, require that internal controls ensure that\nreliable and timely information is obtained, maintained, reported,\nand used for management decisionmaking. The intent is to ensure\nthat agency managers receive information needed to assess\nwhether they are meeting their annual performance goals, as well\nas the goal for effective and efficient use of resources.\n\nWorkload Management Improvements Needed\n\nNSIR manages its workload ineffectively by focusing on (a)\nunanticipated assignments (\xe2\x80\x9cemergent work\xe2\x80\x9d) to the detriment of (b)\nplanned and budgeted activities.\n\n       a. The Emergent Workload\n\nSince its inception in 2002, the NSIR staff has had to deal with a\nsignificant number of assignments that fall outside of the planned\nand budgeted activities reflected in the office\xe2\x80\x99s annual operating\nplan (referred to in NSIR as the Leadership Operating Plan). These\nunplanned and unbudgeted assignments, referred to as \xe2\x80\x9cemergent\nwork,\xe2\x80\x9d are usually initiated from entities external to NSIR. As\nindicated by the pie chart below depicting the 394 emergent work\nentries analyzed, 35 percent of the emergent work items are\nassigned from the Office of the Executive Director for Operations\n(OEDO) and other NRC program offices, 18 percent reflect\nrequests from other Federal agencies, 15 percent represent work\nassigned by the Commission, and the remainder reflects requests\nfrom a variety of other entities.\n\n\n\n\n                            5\n\x0c                                      Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n\n    Sources of NSIR\'s Emergent Work, April 2004 - April 2005\n\n\n\n\n               Other Governments 7%        Chairman/ Commission\n                                                   15%\n      Nuclear Industry 10%\n\n\n                                                        NSIR 11%\n\n\nFederal Agencies 18%\n\n\n\n\n              Congress 4%\n                                              OEDO 35%\n\n\n\n\n           NSIR managers could not precisely quantify the amount of\n           emergent work assigned to NSIR, but estimated that the office\n           handles about 12 to 15 FTEs of unexpected work each year based\n           on emergent work assignments tracked and managed from May to\n           December 2004.\n\n           Examples of emergent work cited by NSIR staff include\n           unscheduled participation in national preparedness exercises,\n           classification reviews of reports and other documents, responding\n           to Chairman and Commission requests for security information, and\n           answering queries from Congress and the Department of\n           Homeland Security.\n\n                       b. Impact on Planned and Budgeted Activities\n\n           Attending to emergent work has an impact on NSIR\xe2\x80\x99s planned and\n           budgeted activities and its ability to support NRC\xe2\x80\x99s performance\n           goals. According to NSIR\xe2\x80\x99s FY 2004 Leadership Operating Plan,\n           Close Out Status Report, which documents the achievement of\n           performance measures established to support NRC\xe2\x80\x99s Strategic\n           Plan, NSIR was unable to achieve a satisfactory score for about 12\n           percent of its performance indicators. Mixed results were reported\n           for 17 percent of the performance indicators. Following are\n           examples of the performance measures for which NSIR reported\n           unsatisfactory results:\n\n\n                                               6\n\x0c                                           Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n                  \xe2\x80\xa2   FOIA Requests \xe2\x80\x93 Forty-three percent of the Freedom of\n                      Information Act requests were not completed on time.\n\n                  \xe2\x80\xa2   Foreign Travel Indicators \xe2\x80\x93 NSIR was generally unable to\n                      meet the deadlines for these reports, which summarize issues\n                      that have technical or administrative significance to the agency.\n                      These reports were not completed on time.\n\n                  \xe2\x80\xa2   FTE Expenditures \xe2\x80\x93 NSIR was unable to take advantage of\n                      staffing opportunities to hire up to its authorized level during FY\n                      2004. As a result it was unable to perform activities for\n                      safeguards inspections and regulatory improvements.\n\n                  \xe2\x80\xa2   Quality of EDO-Controlled Correspondence2 \xe2\x80\x93 Twenty-six\n                      percent of the controlled correspondence items were returned to\n                      NSIR for administrative corrections.\n\n                  Most Assignments Treated as High Priority; Emergent Work\n                  Process Not Fully Implemented\n\n                  NSIR does not adequately manage its workload for two reasons:\n\n                  a. NSIR\xe2\x80\x99s process for evaluating the appropriate priority level for\n                     emergent work and then integrating these work assignments\n                     into the office has not been effectively implemented.\n\n                  b. NSIR is not completely implementing its Emergent Work\n                     Process and subsequently cannot use data gathered through\n                     this process to adjust resources to better accommodate the\n                     office workload.\n\n                           a. Integration of Assignments Needs to be More Effectively\n                           Implemented\n\n                  Despite reporting emergent work as a challenge since the office\n                  was established in April 2002, NSIR managers generally consider\n                  emergent work their first priority and push assignments aside to\n                  address the emergent work. Officials said they believe that upper\n                  management does not say \xe2\x80\x9cno\xe2\x80\x9d to additional work. NSIR managers\n                  assign most emergent work assignments a high priority weight,\n                  frequently adding more assignments to the workload before other\n                  high priority work has been completed.\n\n\n2\n  Controlled Correspondence refers to communications that \xe2\x80\x93 on the basis of their source, subject matter, or\npossible impact on NRC programs \xe2\x80\x93 require priority control, response, and management awareness. Such\nassignments are conveyed to NSIR through the agency\xe2\x80\x99s green ticket system or through the agency\xe2\x80\x99s Work\nItem Tracking System.\n\n                                                     7\n\x0c                   Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nNSIR managers stated that there is high-level interest in security\nissues within NRC and from external sources, and NSIR wants to\naddress its NRC stakeholders and Federal partners by responding\nto their respective requests. One manager said NSIR\xe2\x80\x99s job is to\nwork the highest priority level work \xe2\x80\x93 which he considers to be\nemergent work \xe2\x80\x93 first, and that short-turnaround deadlines are the\n\xe2\x80\x9cnature of the beast\xe2\x80\x9d because a significant portion of NSIR\xe2\x80\x99s\nassignments are emergent work.\n\n      b. Incomplete Implementation of Emergent Work Process\n\nNSIR managers are not completely implementing the office\xe2\x80\x99s\nEmergent Work Process to help the office obtain timely and reliable\ninformation to plan for and accommodate the emergent workload.\n\nIn June 2004, NSIR initiated an Emergent Work Process to help\nmanagers quantify and document NSIR\xe2\x80\x99s emergent work and\nassess its impact on budgeted work. Two important tools for this\nProcess were to be the office\xe2\x80\x99s work tracking database and the\nemergent work log (a WordPerfect table located on the shared\ndrive). The work tracking database was to be used by NSIR\nmailroom staff to record specific details about emergent work\nassignments and the emergent work log was to be used by NSIR\nmanagers to document the impact of emergent work on the office\xe2\x80\x99s\nworkload. Together, it was envisioned, these tools would allow\nmanagers the information they need to track emergent work,\nassess its impact on office operations, and inform the budget\nprocess to plan for future needs.\n\nHowever, the Emergent Work Process is not working as effectively\nas intended because NSIR staff are not consistently recording\nemergent work assignments in the log and mailroom staff are not\nincluding these assignments in the ticket tracking system.\nConsequently, NSIR managers do not have the information they\nneed to quantify these assignments, assess their impact, assist\nwith resource management and workforce planning, and inform the\nbudget process. Furthermore, this situation denies managers\naccess to reliable and timely data necessary to make decisions in\naccordance with OMB A-123 requirements. Such information could\nalso help managers establish a prioritization for new assignments.\n\n\n\n\n                            8\n\x0c                                              Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n                    Staff reported that they do not use the emergent work log\n                    consistently because only one user can enter data at a time, it is\n                    time consuming to enter the data, and because they have a short\n                    amount of time before the assignment is due. In fact, a few\n                    sections use an independent tracking system for purposes of\n                    managing their own workload.\n\n                    NSIR Operates in a Unpredictable Mode and Lacks Information\n                    to Effect Change\n\n                    As a result of treating most assignments as high priority\n                    assignments and failing to collect data to inform the budget process\n                    to better plan for future emergent work, NSIR is unable to operate\n                    in other than an unpredictable mode on a constant basis. This\n                    environment of taking on unanticipated assignments and then\n                    designating these assignments as high priority required 26\n                    members of NSIR\xe2\x80\x99s staff to work 4,739 hours of overtime during FY\n                    2004, or approximately 182 overtime hours per person. According\n                    to some staff, everything has to be done immediately and in one\n                    division it is estimated that 50 percent of the time staff are pulled\n                    from one assignment to work on other incoming assignments.\n                    NSIR\xe2\x80\x99s attrition rate for fiscal years 2003 and 2004 (5.69 percent\n                    and 7.05 percent, respectively) was higher than the agency\xe2\x80\x99s\n                    attrition rate.3 Long workdays and unrealistic deadlines are factors\n                    that lead to an increase in employee fatigue, stress, a lack of\n                    concentration, and burnout. Furthermore, the level of emergent\n                    work affects the staff\xe2\x80\x99s ability to turn in OEDO-controlled\n                    correspondence that does not have to be returned for corrections,\n                    and is completed on time.\n\n                    NSIR staff said they thought the flow of emergent work and other\n                    assignments would slow down as the years since the terrorist\n                    incidents of 9/11 passed. Given that this has not occurred, NSIR\n                    should develop a means for ranking the assignments it receives to\n                    ensure the economical use of its resources.\n\n                    Compounding this problem is that NSIR\xe2\x80\x99s emergent work tools\n                    (ticket tracking and emergent work log) need to be refined to\n                    document the use of its resources and to provide the basis for the\n                    budget increases it requires. The emergent work log could be\n                    enhanced by including pertinent information such as the number of\n                    emergent work assignments NSIR received, how often the\n                    assignments are received, the source of the assignments, and how\n                    long the staff has to work on them, so managers can better inform\n                    the budget process concerning actual resource needs.\n\n3\n    The agency\xe2\x80\x99s attrition rate for fiscal years 2003 and 2004 was 5.02 percent and 5.06 percent, respectively.\n\n                                                        9\n\x0c                   Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nSummary\n\nBecause NSIR treats most of its assignments as high priority and\nhas not fully implemented its Emergent Work Process, the office is\nunable to effectively manage its workload and operates in an\nunpredictable mode on a constant basis. By taking the steps\nrecommended below, NSIR will reduce the overtime worked by\nstaff and prevent the staff from experiencing the effects of\nemployee burnout.\n\nRecommendations:\n\nOIG recommends that the Executive Director for Operations:\n\n1.   Establish a means of assessing the current workload and\n     prioritizing assignments, including but not limited to emergent\n     work, as they are received, so they can be incorporated into\n     the workload without overextending NSIR\xe2\x80\x99s resources.\n\n2.   Review the Emergent Work Process to ensure emergent work\n     is accurately documented to assist with workforce and budget\n     decisions.\n\n3.   Develop an emergent work log that is user-friendly and\n     records the required information on the impact of emergent\n     work on NSIR planned/budgeted assignments.\n\n\n\n\n                           10\n\x0c                        Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nB. NSIR\xe2\x80\x99S Security Communications Procedures Need Improvement\n\n     The requirements for the establishment of NSIR included mandates\n     to improve the agency\xe2\x80\x99s communications concerning security\n     issues and to determine the effectiveness of communications\n     between this newly formed office and its internal and external\n     stakeholders. Despite these requirements, weaknesses exist in\n     NSIR\xe2\x80\x99s process for interacting with other offices and stakeholders,\n     and the office has performed limited assessments of the success of\n     its communications. These weaknesses exist because NSIR did\n     not establish:\n\n     \xe2\x80\xa2   Policies and procedures for interactions between NSIR and the\n         program offices and regions.\n\n     \xe2\x80\xa2   A method to measure the effectiveness of its internal and\n         external communications.\n\n     If NSIR is unsuccessful in communicating with its stakeholders,\n     these problems could lead to the incorrect dissemination of\n     information, inappropriate use of resources, and diminished public\n     confidence.\n\n     Commission Mandates for Improved Communications\n\n     In creating NSIR, the Commission included the mandate to improve\n     NRC\xe2\x80\x99s security communications, both internally and externally. The\n     Commission directed NSIR to (1) improve NRC\xe2\x80\x99s communications\n     with internal and external stakeholders, and 2) develop procedures\n     to manage NSIR\xe2\x80\x99s interactions and coordination with other NRC\n     offices.\n\n     NSIR\xe2\x80\x99s Security Communications Need Improvement\n\n     NSIR communicates with NRC offices, regions, licensees and the\n     public in a variety of formats including working groups, steering\n     committees, public meetings, and conference calls. Despite these\n     interactions and requirements for improved security\n     communications and procedures, NSIR\xe2\x80\x99s process for interfacing\n     with program offices and regions is not always sufficient.\n     Specifically,\n\n     a. NSIR management officials do not always give other program\n        offices enough time to thoroughly review, provide input, and\n        concur on documents containing reactor security issues.\n\n\n\n                                11\n\x0c                   Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nb. The office does not provide sufficient guidance on how regional\n   resources to be used for security programs are to be allocated.\n\nc. NSIR lacks a means to determine whether improvements are\n   achieved in security communications.\n\n      a. Inadequate Time Allotted for Input and Concurrence\n\nNSIR management officials do not always give other program\ndivisions enough time to thoroughly review, provide input, and\nconcur on documents containing reactor security issues. For\nexample, NSIR allotted only 3 hours for another office\xe2\x80\x99s\nmanagement to provide input and concurrence on a document\naddressing reactor security issues. This document, which\npertained to fire safety, contained regulations that would have a far\nreaching impact on licensees and NRC. Managers in that office\nrecalled they had significant questions about the document and\nraised issues that, they stated, should have been addressed and\nresolved earlier in the input and concurrence process. These\nindividuals informed NSIR that they would not be able to comment\nand concur within the time constraint. Therefore, instead of waiting\nfor that office\xe2\x80\x99s input, NSIR forwarded the document to the Office of\nthe Executive Director for Operations without the benefit of\nagreement on issues that affect more than NSIR. Similar problems\nhave occurred in situations when NSIR required another office to\nreview regulatory actions (e.g., generic communications, regulatory\nguide revisions, rulemaking) pertaining to safety-security issues.\n\n      b. NSIR Does Not Provide Sufficient Guidance on How\n         Regional Resources Are to be Allocated\n\nNSIR has inefficient communications with NRC\xe2\x80\x99s regional offices\nconcerning the use of resources that NSIR provides to the regions.\nAlthough NSIR provides each region with FTE resources, it does\nnot sufficiently indicate how these limited resources are expected to\nbe used during the given year. For example, NSIR will provide\neach regional office with 7 FTE to perform physical security\ninspections. However, as NSIR adds security requirements, or\nassigns emergent work to the regions, NSIR expects the regions to\nfulfill the requirements without additional resources. One regional\noffice management official stated that NSIR neglects to\ncommunicate with the regions ahead of time, and instead just tells\nthe region what is required of the region when the need arises. In\nthese instances NSIR can make multiple requests for the region to\nuse the same resources because NSIR does not make a clear\nindication of how the resources are to be utilized.\n\n\n\n                           12\n\x0c                   Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n       c. NRC Lacks a Means to Determine Whether\n          Improvements are Achieved in Security Communications\n\nNSIR has not assessed its communications or measured its levels\nof improvement in communications as mandated by the\nCommission when the office was established. As part of the 1-\nyear assessment of NSIR\xe2\x80\x99s organizational effectiveness, Acton\nBurnell interviewed internal and external stakeholders to gauge\nstakeholder satisfaction and expectations of the newly formed NSIR\norganization. Although the assessment reflected positive results\nbased on a limited number of questions and respondents, this\ncannot be construed as a reliable indicator of improvement due to\nthose limitations. More than one-half of the respondents in some\ngroups reported being unqualified to answer, the result was based\non a single question, and only one public interest group was\nconsulted. Furthermore, internal and external stakeholders were\nnot interviewed in any of NSIR\xe2\x80\x99s attempts to address some of the\nrecommendations contained in the Organizational Effectiveness\nAssessment. Consequently, NSIR does not know if it has improved\nsecurity communications and lacks a baseline from which to\nmeasure improvement.\n\nPolicy and Procedure Not Established for Interactions\nBetween NSIR and its Stakeholders\n\nNSIR\xe2\x80\x99s communication problems exist because the office did not\nestablish within its infrastructure (1) policies and procedures for\ninterfaces between NSIR and its stakeholders, including other NRC\nprogram offices, the regions, and public interest groups, and (2)\nprocedures for assessing improvements in internal and external\ncommunications. Thus, while the office would benefit from policies\nand procedures that, for example, provide guidance on managing\nthe communications process or measuring the status of NSIR\xe2\x80\x99s\ncommunication efforts, NSIR lacks such policies.\n\nIn the absence of communications policies, some NSIR\nsections/divisions have devised their own policies based on their\nexperiences and needs. For example, to expedite the\ncommunications process some staff hand carry documents to\ngather input from other offices included in the concurrence chain.\nNSIR has drafted one procedure for interfacing with the\nCommission, titled Office Procedure for Communicating Information\nto Commissioners\' Assistants, but it is not yet in effect. NSIR office\n\n\n\n\n                           13\n\x0c                                          Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n                   procedures include Internal Commission-Level Correspondence\n                   Procedures, COM 203, October 1, 2002, and Management of\n                   Controlled Correspondence, COM 201, February 19, 2005, but\n                   organizational changes have caused the first procedure to be\n                   outdated and the latter not to be used.\n\n                   Diminished Public Confidence\n\n                   NSIR\xe2\x80\x99s lack of policies and procedures for efficient communications\n                   with its stakeholders has led to diminished public confidence.\n                   Three representatives of public interest groups conveyed\n                   dissatisfaction concerning NSIR\xe2\x80\x99s methods for communicating.\n                   NSIR\xe2\x80\x99s lack of policies and procedures could also lead to the\n                   incorrect dissemination of information and inappropriate use of\n                   resources. NSIR\xe2\x80\x99s ability to share sensitive or classified\n                   information is limited to those who have a need to know, as well as\n                   by NRC policy, however their unclassified communication needs to\n                   be increased to enhance public confidence. OIG reported on a\n                   related situation in the audit of NRC\xe2\x80\x99s Generic Communications\n                   Program4. During that audit, OIG found that the issuance of\n                   generic communications outside of NRC\xe2\x80\x99s existing polices and\n                   procedures compromises its openness policy thereby affecting the\n                   public confidence in NRC\xe2\x80\x99s regulatory process and decision-\n                   making.\n\n                   Recommendations\n\n                   OIG recommends that the Executive Director for Operations:\n\n                   4.    Establish and implement policies and procedures for\n                         communications between NSIR and internal and external\n                         stakeholders.\n\n                   5.    Establish and implement a method to measure the level of\n                         effective communications.\n\n\n\n\n4\n    Audit of NRC\xe2\x80\x99s Generic Communications Program (OIG-05-A-19), September 30, 2005.\n\n                                                  14\n\x0c                        Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nC. Incomplete Consideration of Contractor Recommendations\n\n     NSIR managers failed to give timely consideration to\n     recommendations provided by the contractor hired to assess\n     NSIR\xe2\x80\x99s organizational effectiveness 1 year after the office\xe2\x80\x99s\n     inception. Although the organizational assessment was mandated\n     by the Commission, there was no associated mandate to follow\n     through on recommendations. In addition, competing priorities in\n     NSIR made it difficult for managers to complete action on the\n     recommendations. As a result, 3 years after the contractor issued\n     its assessment on NSIR, the office still exhibits some of the\n     problems identified during the initial assessment.\n\n     Requirements\n\n     As previously stated, upon its approval for the establishment of\n     NSIR, the Commission required the Executive Director for\n     Operations to perform an organizational assessment within 1 year\n     of the new office\xe2\x80\x99s formation and provide the Commission with the\n     results of this assessment. As a result, NSIR entered into a\n     contract with Acton Burnell, the consulting firm selected to perform\n     the assessment.\n\n     OMB A-123 makes Federal managers responsible for taking timely\n     and effective action to correct deficiencies identified by audits,\n     evaluations, and related recommendations. In accordance with\n     OMB A-123, managers are tasked with promptly evaluating and\n     determining proper actions in response to known deficiencies.\n     Managers are expected to complete all actions that correct or\n     otherwise resolve these problems.\n\n     Incomplete Response to Recommendations\n\n     Despite OMB A-123 requirements for timely response to\n     deficiencies identified by audits and evaluations, while NSIR\n     managers have taken action on recommendations provided by the\n     contractor hired to perform the 1-year assessment some were not\n     completely addressed. Furthermore, some actions taken did not\n     meet the intent of the recommendations.\n\n     Acton Burnell\xe2\x80\x99s principle findings, reported in NSIR One Year Later:\n     An Organizational Effectiveness Assessment, dated May 21, 2003,\n     pertained to constantly changing work priorities, inequitable work\n     distribution, and the lack of office procedures. This report included\n     eight \xe2\x80\x9cquick hit\xe2\x80\x9d recommendations and five multi-part\n     comprehensive recommendations. Implementation of the quick hit\n     recommendations required low-cost efforts such as the adoption of\n\n                                15\n\x0c                    Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\npre-existing policies and procedures from other NRC organizations.\nThe remaining recommendations required a more comprehensive\napproach to implement, for example, proactively\ninfluencing/managing priorities and resuming public outreach to\nselected external stakeholders. See Appendix B for a full listing of\nActon Burnell\xe2\x80\x99s recommendations.\n\nAs stated above, a number of efforts were initiated by various\nmembers of NSIR\xe2\x80\x99s staff to resolve some of the recommendations.\nFor example, in response to Acton Burnell\xe2\x80\x99s concern about\nworkspaces located in high-traffic, noisy areas, an NSIR official\nworked with the Office of Administration to request additional office\nspace. However, this did not take care of the initial concern, which\nwas not focused on a need for additional space, but rather a need\nfor a quieter space. See Appendix B for OIG\xe2\x80\x99s assessment of\nNSIR\xe2\x80\x99s actions.\n\nIn 2004 NSIR hired Acton Burnell to perform a \xe2\x80\x9cpulse check\xe2\x80\x9d to\ndetermine how well NSIR had progressed from the initial\nassessment. The \xe2\x80\x9cpulse check\xe2\x80\x9d was limited in scope with a limited\nreview of actions taken on recommendations from the prior\nassessment. However, the 2004 \xe2\x80\x9cpulse check\xe2\x80\x9d reported the staff\xe2\x80\x99s\nconcern about a deviation from the mission due to the high volume\nof non-mission-essential emergent work. It was also reported that\nthe staff felt pressured to work overtime and the culture of the office\nis that you can\xe2\x80\x99t say \xe2\x80\x9cno\xe2\x80\x9d to additional assignments\n\nNo Requirement or Process to Address Recommendations\n\nNSIR did not fully implement actions on the assessment\nrecommendations because\n\n\xe2\x80\xa2   There was no requirement to report on actions taken and\n    improvements made.\n\n\xe2\x80\xa2   NSIR lacked a followup system for tracking the\n    recommendations.\n\n\xe2\x80\xa2   NSIR faced challenges in handling its workload.\n\nWhile NSIR was required to conduct an organizational assessment\nand report the results to the Commission, there was no requirement\nto report on followup activities after the performance of the initial\norganizational assessment. NSIR was not required to take the\nactions necessary to implement the assessment recommendations.\nOIG was told that the assessment recommendations were not\nimplemented because the NSIR staff was too busy reacting to the\n\n                            16\n\x0c                   Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nenvironment rather than taking the time to address the\nrecommendations, and OIG believes the managers preferred to\nhave the staff handle the emergent work rather than work on the\nrecommendations.\n\nSimilar Issues Remain Today\n\nSimilar problems to those identified in Acton Burnell\xe2\x80\x99s 1-year\nassessment remain today, as evidenced by the pulse check\nperformed by Acton Burnell and the findings reported in this OIG\naudit report. As a result, NSIR\xe2\x80\x99s program remains affected by\nchanging priorities that result from emergent work, staff are working\nnumerous hours of overtime, and managers are unable to turn\ndown assignments. These issues mirror those reported by the\ncontractor.\n\nRecommendation:\n\nOIG recommends that the Executive Director for Operations:\n\n6.   Assess the recommendations from the 2003 office\n     assessment to determine their applicability and implement\n     those that would benefit NSIR today.\n\n\n\n\n                           17\n\x0c                           Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nIV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n        OIG recommends that the Executive Director for Operations:\n\n        1.   Establish a means of assessing the current workload and\n             prioritizing assignments, including but not limited to emergent\n             work, as they are received, so they can be incorporated into\n             the workload without overextending NSIR\xe2\x80\x99s resources.\n\n        2.   Review the Emergent Work Process to ensure emergent work\n             is accurately documented to assist with workforce and budget\n             decisions.\n\n        3.   Develop an emergent work log that is user-friendly and\n             records the required information on the impact of emergent\n             work on NSIR planned/budgeted assignments.\n\n        4    Establish and implement policies and procedures for\n             communications between NSIR and internal and external\n             stakeholders.\n\n        5.   Establish and implement a method to measure the level of\n             effective communications.\n\n        6    Assess the recommendations from the 2003 office\n             assessment to determine their applicability and implement\n             those that would benefit NSIR today.\n\n\n\n\n                                   18\n\x0c                          Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nV. AGENCY COMMENTS\n\n       At an exit conference with agency senior executives held on\n       November 10, 2005, NRC officials generally believed the\n       recommendations in the report were constructive however, they did\n       not believe the findings reflected the current condition of the\n       organization. Subsequent to the exit conference, NRC provided\n       informal comments on the draft report and OIG met with an NSIR\n       representative to address specific report issues and concerns. This\n       final report incorporates revisions made, where appropriate, as a\n       result of the subsequent meetings and the agency\xe2\x80\x99s informal\n       comments.\n\n       On January 19, 2006, the Deputy Executive Director for Reactor\n       and Preparedness Programs, Office of the Executive Director for\n       Operations, provided a formal response to this report in which the\n       staff generally agreed with the report\xe2\x80\x99s recommendations, but not\n       with all aspects of the OIG assessment. Based on the formal\n       comments no additional changes were made to the report.\n\n       The Deputy Executive Director\xe2\x80\x99s transmittal letter and specific\n       comments on this report are included as Appendix C. Appendix D\n       contains OIG\xe2\x80\x99s specific responses to the agency\xe2\x80\x99s comments.\n\n\n\n\n                                  19\n\x0c       Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               20\n\x0c                         Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n                                                                           Appendix A\nSCOPE AND METHODOLOGY\n\n       Auditors conducted an independent evaluation of NSIR\xe2\x80\x99s\n       operations. The audit focused on NSIR\xe2\x80\x99s management of its\n       emergent work, communications with stakeholders, and\n       implementation of the organizational assessment\n       recommendations.\n\n       OIG reviewed relevant criteria including the Staff Requirements\n       Memorandum (SECY-02-0036) that established NSIR;\n       Management Directive 10.77, "Employee Training and\n       Development," Management Directive 4.4, \xe2\x80\x9cManagement Controls,\xe2\x80\x9d\n       the agency\xe2\x80\x99s strategic workforce plan establishing the means for\n       recruitment, retention and development of professional engineering\n       and security staff; United States Government Accountability Office\n       \xe2\x80\x9cStandards for Internal Control in the Federal Government,\xe2\x80\x9d NSIR\n       FY2005 Management Control Plan; NRR Office Instruction No:\n       BUD-102, "NRR Add/ Shed/ Defer Procedure." OIG reviewed and\n       analyzed the contract between NSIR and Acton Burnell, Inc. for the\n       development and implementation of an organizational effectiveness\n       assessment and the assessment report developed by Acton\n       Burnell, Inc.\n\n       OIG interviewed numerous members of NSIR\xe2\x80\x99s management and\n       staff to discuss how the office conducts and handles assessment\n       reviews, emergent work, staff development, interoffice\n       communication, and relationship development with stakeholders.\n       Auditors also interviewed members of the Commission\xe2\x80\x99s staff, and\n       employees of the OEDO, NRC program offices and the regions. In\n       addition, auditors spoke with industry representatives and\n       representatives of public interest groups to determine the\n       effectiveness of their interactions with NSIR.\n\n       In an effort to analyze NSIR\xe2\x80\x99s workload, auditors analyzed more\n       than 200 Controlled Correspondence tickets from the EDO tracking\n       system representing assignments given to NSIR in 2004. More\n       than 400 emergent work items contained in NSIR\xe2\x80\x99s emergent work\n       log were also analyzed by the audit team to assess the amount of\n       unanticipated assignments NSIR received in a 1-year period.\n\n\n\n\n                                 21\n\x0c                  Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\nThis work was conducted from October 2004 through June 2005, in\naccordance with generally accepted Government auditing\nstandards and included a review of management controls related to\naudit objectives. The work was conducted by Beth Serepca, Team\nLeader; Shyrl Coker, Audit Manager; Vicki Foster, Senior\nManagement Analyst; David Ditto, Senior Management Analyst;\nRebecca Underhill, Management Analyst; and Erica Horn, Auditor.\n\n\n\n\n                          22\n\x0c                                        Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n                                                                                          Appendix B\nORGANIZATIONAL EFFECTIVENESS ASSESSMENT\nRECOMMENDATIONS\n\n\n                          Quick Hit Recommendations\n      Acton Burnell             Actions Taken in\n   Recommendation                 Response to\n         (2003)                Recommendations             Pulse Check (2004)            OIG Assessment\n(1) Assign DNS              Working group formed to      Has shown                    Action on this\nadministrative staff to     address this                 improvement in this          recommendation\nsupport DNS technical       recommendation; no           area                         continues\nstaff                       further action taken\n(2) Empower section         NSIR did not take            Mixed results reported       Overcome by office\nchiefs to assess            specific action on this      in this area                 reorganizations\nfunctional alignment        recommendation\nissues within DNS\n(3) Address equitable       NSIR did not take            Equitable work               NSIR continues to rely\ndistribution of work in     specific action on this      distribution improving;      on specific staff\nDNS                         recommendation               use of go to\'s continues     members\n(4) Adopt/modify            Some of NSIR section         Lack of knowledge of         NSIR still needs\nexisting policies from      chiefs adopted policies      procedures                   improvement in this\nother NRC offices           and procedures for their                                  area\n                            own sections\n(5) Provide DNS staff       NSIR wants to initiate       Mixed results from staff;    IT resources provided,\nwith IT resources           the creation of an           however, marked              and NSIR has initiated\nneeded to process           electronic safe room to      improvements are             the development of the\nsecure information          maintain safeguards          reported for IT/ Tool        electronic safe room\n                            information                  Support\n(6) Create templates for    NSIR did not address         Not included in the          NSIR\'s reliance on the\nexternal communication      this recommendation          pulse check                  expertise of the staff\n                                                                                      rather than creating\n                                                                                      templates does not\n                                                                                      meet the intent of the\n                                                                                      recommendation\n(7) Seek to utilize ideas   NSIR utilizes the            Stated in pulse check        NSIR still needs\nof people with pre-NSIR     business knowledge and       that some staff feel their   improvement on this\nbusiness knowledge          expertise of its personnel   expertise is not trusted     recommendation\nand expertise               who came from other          or respected.\n                            offices and agencies\n(8) Work with the Office    NSIR requested               No improvement in this       Actions do not meet the\nof Administration to        additional office space,     area                         intent of the\nimprove work                scaled offices down and                                   recommendation\nenvironment. Explore        established shared\nways to reduce              offices\ndistractions\n\n\n\n\n                                                23\n\x0c                                       Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n                                                                                         Appendix B\nORGANIZATIONAL EFFECTIVENESS ASSESSMENT\nRECOMMENDATIONS\n\n\n         Comprehensive Recommendations\n\n     Acton Burnell              Actions Taken in           Pulse\n   Recommendation                 Response to              Check\n          (2003)               Recommendations             (2004)            OIG Assessment\n(1) Clarify Leadership      NSIR has not taken          Improvement       Distribution of work\nRoles and                   specific action on this     shown in this     remains an issue\nResponsibilities and        issue                       area\nadjust distribution of\nwork\n                            NSIR has recently           Not included      NSIR has shown\n(2) Implement or            conducted several           in the pulse      improvement in this\nresume public relations     meetings open to the        check             area\noutreach                    public\n(3) Improve or establish    NSIR began establishing     Mixed             Policies and\nstandard internal           procedures but had to       results in this   procedures reviewed\nadministrative              focus on higher priority    area              need improvement\nprocesses and               tasks as the staff grew\nprocedures\n                            NSIR has not fully          Not included      Weaknesses exist in\n(4) Improve the overall\n                            addressed this issue        in the pulse      NSIR\'s\neffectiveness of internal\n                                                        check             communications\nand external\n                                                                          process\ncommunications\n\n(5) Review internal         NSIR revamped its           Not included      NSIR\'s new operating\nperformance goals,          operating plan              in the pulse      plan appears to be\nmeasures, and                                           check             adequate\nmeasurement systems\n\n\n\n\n                                                24\n\x0c                                         Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n                                                                                           Appendix C\nFORMAL AGENCY COMMENTS\n\n\nFrom:               Melinda Malloy\nTo:                 Beth Serepca\nDate:               2/2/06 11:29AM\nSubject:            Staff comments on final draft OIG report re: audit of NSIR\nBeth,\n\nThe staff provided written comments on OIG\'s Dec. 19, 2005 final draft audit report on NRC\'s\nOffice of Nuclear Security and Incident Response in a memo from William Kane, DEDR to Steve\nDingbaum dated January 19, 2006 (available at ML060240290). This document was marked\n"Official Use Only - Sensitive Internal Information" due to the markings on the draft report. OEDO\nhas reviewed this document and has no objection to its inclusion in OIG\'s final audit report. As we\ndiscussed, to facilitate completion of the audit report, you may strike out the markings, top &\nbottom, on all pages of the memo and annotate the first page to reflect our agreement to put the\nmemo in the final audit report. As the memo has already been declared as an official record, I will\nwork with ADAMS IM to correct the copy of the official record in ADAMS. If they tell me to do this\nanother way, I\'ll let you know as soon as possible.\n\n           Melinda Malloy,\n           OEDO OIG\n           Audit Liaison\n           415-1785\n\n\n\n\n                                                 25\n\x0c       Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               26\n\x0cAudit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n\n        27\n\x0cAudit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n\n        28\n\x0c                                Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n                                                                                  Appendix D\nDETAILED OIG ANALYSIS OF AGENCY COMMENTS\n\n             On November 10, 2005, OIG discussed its draft report with agency\n             senior executives. Subsequent to that meeting, NRC provided\n             informal comments on the draft report and OIG met with an NSIR\n             representative to address specific issues and concerns needing\n             further clarification and/or explanation. On January 19, 2006, the\n             Deputy Executive Director for Reactor and Preparedness\n             Programs, Office of the Executive Director for Operations,\n             transmitted a memorandum with formal comments on this report\n             (see Appendix C).\n\n             Below is OIG\xe2\x80\x99s analysis of the agency\xe2\x80\x99s formal comments.\n\n             NRC Comment 1\n\n             1. Findings in the report are based on dated performance\n                information from Fiscal Year 2004 [page 9, lines 1-25; page 12,\n                lines 19-28 (page 7 and page 9 of this final report)] and follow-\n                up actions on recommendations made in Fiscal Year 2003\n                [page 21, lines 3-12; page 22, lines 10-22]. NSIR\xe2\x80\x99s\n                performance has continued to improve since its establishment in\n                April 2002. Consequently, the report\xe2\x80\x99s findings and\n                recommendations would be more timely and relevant if they\n                were based on more current performance information from\n                Fiscal Year 2005, the year during which the audit was\n                performed and for which budget information is presented in the\n                report.\n\n\n\nOIG Response\nFiscal Year 2004 performance information was the recent complete year of\ndata available at the audit\xe2\x80\x99s initiation. As the fieldwork progressed through\nJune 2005 the performance reports for the First, Second and Third Quarter of\nFY 2005 Performance Reports were reviewed to note changes in NSIR\xe2\x80\x99s\nperformance. Emergent work continued to be cited as a challenge although\nsome improvements were noted. Furthermore, the Senior Performance\nOfficial\xe2\x80\x99s Report dated September 23, 2005, includes among the areas for\nimprovements, some of the same issues cited in the report.\n\n\n\n\n                                        29\n\x0c                   Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n\nNRC Comment 2\n\n2. The report states that NSIR managers have not spent adequate\n   time to address workload management, communications, and\n   self-assessment recommendations and, as a result, NSIR\n   operates in an unpredictable environment that shows no sign of\n   improvement [page 5, lines 11-25 (page 4 of this final report)].\n   Contrary to the report, NSIR managers have used available\n   resources to hire and develop new staff and build the\n   organization, successfully completed a large amount of\n   emergent work and a significant percentage of budgeted work\n   (>88% during Fiscal Year 2004), and developed and\n   implemented the work processes and procedures to make NSIR\n   more effective and efficient.\n\n   Assessments before, during, and after the audit period have\n   documented continued improvement in NSIR\xe2\x80\x99s performance,\n   including the recently completed NRC 2005 Safety Culture and\n   Climate Survey conducted by the OIG. Moreover, the report\n   does not describe ongoing actions by NSIR to improve workload\n   management, use experience in developing more realistic\n   budgets, and enhance organizational effectiveness and\n   efficiency.\n\n   For example, the report omits recognition that the independent\n   tracking systems for managing workload [page 12, lines 8-10\n   (page 9 of this final report)] are being developed and tested as\n   part of a pilot project, approved by NSIR management, to refine\n   existing procedures and tools for managing work in the office.\n   This pilot was in process during the audit period and has been\n   expanded in scope to include additional sections in the Division\n   of Nuclear Security. In addition, the report does not recognize\n   the reorganizations and addition of managers and supervisors,\n   including an ongoing reorganization by the Commission on\n   November 14, 2005, to improve workload management and the\n   working environment in NSIR.\n\n\n\n\n                           30\n\x0c                                 Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n\nOIG Response\nOIG provided NSIR an opportunity to provide additional information and\nsupporting documentation for the report after the exit conference and changes\nthat could be supported were made. While there was discussion of using one\nof the section chief\xe2\x80\x99s tracking systems for managing the organization\xe2\x80\x99s\nworkload, the pilot project did not come to fruition until well after our field work\nwas completed and no documentation of the pilot was provided during the\ncollection of report comments from NSIR. NRC\xe2\x80\x99s 2005 Safety Culture and\nClimate Survey did not address the specific issues raised in this report.\n\n\n\n            NRC Comment 3\n\n            3. The report states that NSIR has not addressed its\n               communications nor measured its levels of improvement in\n               communications as mandated by the Commission and more\n               than half of the respondents to NSIR\xe2\x80\x99s self-assessment reported\n               being unqualified to answer the survey questions [page 18, lines\n               2-4 and 11-14 (page 13 of this final report)]. Contrary to the\n               report, NSIR has assessed its communications (both internally\n               and external) as part of the self-assessment in 2003 as directed\n               by the Commission and has followed up with assessments of\n               internal communications in self-assessments conducted in both\n               2004 and 2005. In addition, the report does not recognize that\n               at least some of the external stakeholders\xe2\x80\x99 concerns about\n               NSIR communications are driven by Commission policy on the\n               protection of sensitive information, which contributed to the\n               respondents stating that they were not \xe2\x80\x9cqualified\xe2\x80\x9d to comment\n               on NSIR communications because they had not received them\n               [page 19, lines 24-27 (page 14 of this final report)].\n\n\n\n\n                                         31\n\x0c                               Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n\nOIG Response\nA number of NSIR\xe2\x80\x99s informal comments were incorporated into this section to\naddress many of the concerns raised in the comment above. The\ncommunication assessment of 2004, which was provided to us did not include\nany external stakeholders and we did not receive documentation verifying that\ntheir inclusion in the 2005 assessment. In fact the Senior Performance\nOfficial\xe2\x80\x99s Report of September 23, 2005, includes communication and\ncoordination with the Regions, other offices, and DHS, as an area of\nimprovement for NSIR. The report further states that NSIR should look for\nways to improve the safety, and security interface with counterparts.\nTherefore, the report stands as written.\n\n\n           NRC Comment 4\n\n           4. The report states that NSIR managers failed to give timely\n              consideration to recommendations provided by the contractor\n              hired to assess NSIR\xe2\x80\x99s organizational effectiveness one year\n              after the office\xe2\x80\x99s inception [page 21, lines 3-6 (page 15 of this\n              final report)]. Contrary to the report, NSIR aggressively\n              considered the recommendations of the contractor\xe2\x80\x99s report\n              (dated May 21, 2003) by assessing the recommendations within\n              2 weeks of receiving the report, conducting an NSIR\n              management retreat (June 4-5, 2003) to assess the\n              recommendations and identify short-term and long-term\n              enhancements, and documenting the results of the staff\xe2\x80\x99s\n              assessment in a Commission paper (SECY-03-0104,\n              \xe2\x80\x9cOrganizational Effectivenss Assessment for the Office of\n              Nuclear Security and Incident Response, June 23, 2003). The\n              staff briefed the Commission on the assessment results along\n              with planned actions in NSIR\xe2\x80\x99s first program review with the\n              Commission on July 1, 2003. None of these actions are\n              discussed in the report, even though they quite clearly\n              document the extensive and timely consideration of the\n              contractor\xe2\x80\x99s recommendations.\n\n\n\n\n                                       32\n\x0c                               Audit of NRC\xe2\x80\x99s Office of Nuclear Security and Incident Response\n\n\n\n\nOIG Response\nA significant number of changes were incorporated into this section of the\nreport based on discussions with NSIR after the exit conference to give NSIR\ncredit for more actions than we initially reported. In addition, OIG reviewed\ndocuments and interviewed officials about actions subsequent to the release\nof the Organizational Effectiveness Assessment and we found that actions\ncited in these documents did not take place.\n\n\n\n\n                                       33\n\x0c'